Grok (xm_grok)
This module supports parsing events with Grok patterns. A field is added to the event record for each pattern semantic. For more information about Grok, see the Logstash Grok filter plugin documentation.
To examine the supported platforms, see the list of installation packages. |
Configuration
The xm_grok module accepts the following directives in addition to the common module directives.
Functions
The following functions are exported by xm_grok.
- boolean
match_grok(string pattern)
-
Execute the match_grok() procedure with the specified pattern on the
$raw_event
field. If the event is successfully matched, return TRUE, otherwise FALSE.
- boolean
match_grok(string field, string pattern)
-
Execute the match_grok() procedure with the specified pattern on the specified field. If the event is successfully matched, return TRUE, otherwise FALSE.
Procedures
The following procedures are exported by xm_grok.
match_grok(string pattern);
-
Attempt to match and parse the
$raw_event
field of the current event with the specified pattern.
Example
This configuration reads Syslog events from a file and parses them with the parse_syslog() procedure (this sets the
$Message field).
Then the match_grok() function is used to attempt a series of matches on the $Message
field until one is successful.
If no patterns match, an internal message is logged.
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension grok>
Module xm_grok
Pattern modules/extension/grok/patterns2.txt
</Extension>
<Input in>
Module im_file
File 'test2.log'
<Exec>
parse_syslog();
if match_grok($Message, "%{SSH_AUTHFAIL_WRONGUSER}") {}
else if match_grok($Message, "%{SSH_AUTHFAIL_WRONGCREDS}") {}
else if match_grok($Message, "%{SSH_AUTH_SUCCESS}") {}
else if match_grok($Message, "%{SSH_DISCONNECT}") {}
else
{
log_info('Event did not match any pattern');
}
</Exec>
</Input>
USERNAME [a-zA-Z0-9_-]+
INT (?:[+-]?(?:[0-9]+))
BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
NUMBER (?:%{BASE10NUM})
WORD \b\w+\b
GREEDYDATA .*
IP (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])
SSH_AUTHFAIL_WRONGUSER Failed %{WORD:ssh_authmethod} for invalid user %{USERNAME:ssh_user} from %{IP:ssh_client_ip} port %{NUMBER:ssh_client_port} (?<ssh_protocol>\w+\d+)
SSH_AUTHFAIL_WRONGCREDS Failed %{WORD:ssh_authmethod} for %{USERNAME:ssh_user} from %{IP:ssh_client_ip} port %{NUMBER:ssh_client_port} (?<ssh_protocol>\w+\d+)
SSH_AUTH_SUCCESS Accepted %{WORD:ssh_authmethod} for %{USERNAME:ssh_user} from %{IP:ssh_client_ip} port %{NUMBER:ssh_client_port} (?<ssh_protocol>\w+\d+)(?:: %{WORD:ssh_pubkey_type} %{GREEDYDATA:ssh_pubkey_fingerprint})?
SSH_DISCONNECT Received disconnect from %{IP:ssh_client_ip} port %{INT:ssh_client_port}.*?:\s+%{GREEDYDATA:ssh_disconnect_reason}